Am about to include a log in system to my web Site but i don't think it's a good idea for security to use ajax to send a and receive confirmation from an external php script called login.php
and log-out the same way with another logout.php
any recommendation

How will it differ? at the end of the day it's just an HTTP request passed over the protocol, concentrate more on encapsulating that details with more server side verifications!
–
ArpitAug 4 '11 at 9:36

6 Answers
6

I can't think of any security implications on using Ajax to handle login and logout. It doesn't matter what you send back and forth (as long as you don't send plain text passwords from server to client) between the ajax and sever side layer, because the session will be the one which will hold the authorization state.

However, you would still have to refresh the page, or redirect to show the appropriate content to the just authorized user. So, I don't think Ajax is going to be effective at this particular situation.

In fact, you send, from the client to the server, passwords in plain text (excepted for https pages). However, you shall be punished if you send plain text password from server to client.
–
Clement HerremanAug 4 '11 at 9:41

@Clement: That's what I meant! I will edit to make it clear.
–
ShefAug 4 '11 at 9:44

no i can just load the content that should be loaded with an ajax request i can simply load the container witch will change the content(at the server side )and send a different content (the appropriate content)
–
QchmqsAug 4 '11 at 9:54

@Qchmqs: Then there is no security flow, because the authentication validation will be done on the server side. At the time you send back the response with the content you will check if the user has been authenticated.
–
ShefAug 4 '11 at 9:56

Also from a usability point, autocomplete won't work for AJAX forms on chrome, and for AJAX-loaded forms in firefox. The browsers won't even propose to remember your password.
–
greg0ireMar 15 '13 at 17:28

Login through ajax POST should be safe as long as you have a way of preventing the XSRF attacks.
It can be done by setting X-CSRFToken header in your ajax request. On the server side you should have some sort of middleware to check and verify your CSRF Token from header.

You can set the csrf token in the cookie and then query it and set it in the header:

GET request might end up in the web server logs, along with plain-text passwords :/
–
Clement HerremanAug 4 '11 at 9:43

@clement: Sure, but that is true no matter the request is done via form or ajax.
–
JohanAug 4 '11 at 10:17

2

Right, so then it is even more false that GET or POST have the same set of security risks.
–
Clement HerremanAug 4 '11 at 12:16

2

@Johan I think the problem is your wording could be interpreted in multiple ways. What you meant was that normal GET or POST have the same security implications as AJAX GET or AJAX POST. But what you wrote could be interpreted as GET or POST have the same security risks whether it is AJAX or not.
–
Davy8Oct 10 '11 at 20:17